Computer systems have found numerous applications in the industrial automation environment and are employed ubiquitously throughout, e.g., to control and/or monitor the operation of a process, machine, tool, device, and the like. To facilitate control of a process, etc., one or more controllers (e.g., a programmable logic controller (PLC)) are utilized with input/output (I/O) devices controlling operation of the process along with gathering process information (e.g., measurements, data, values, parameters, variables, metadata, etc.) pertaining to how the process is performing.
A plurality of computer systems can be operating at a single location, e.g., a power station, a nuclear power station, etc., to provide energy, resources, etc., wherein the plurality of computer systems can be operating on a local area network (e.g., a LAN, an intranet) communicatively coupled to the PLCs. However, such computer systems can often utilize unpatched systems (e.g., legacy systems and modern systems) which are amenable to cyberattack by a malicious entity. Further, while the local network can be configured and/or constructed to operate in a secure manner (e.g., password access, etc.), it is often desired that a remote, but authorized, entity is also able to access the locally-networked computer systems. For example, an organization can comprise a plurality of power stations located throughout a region, wherein the plurality of power stations are monitored, controlled, etc., by a central operations center (e.g., a business center, head office). Hence, while each power station in the plurality of power stations is operating on its own local network, data from a power station may be required by the central operations center, wherein the central operations center is in communication with each power station via a wide area network (e.g., a regional network, the internet, etc.). Operational instructions, request(s) for data, information, etc., can be transmitted between the central operations center and a power station via the Internet.
Further, various computer devices, etc., within a power plant may remain in operation for a long period of time (e.g., months, years), and the internet protocol (IP) address of a computer device within the intranet may remain unchanged for an extended period of time.
Hence, a malicious entity can utilize the internet to communicate an executable program to a power station, and further, with knowledge of an effectively static IP address, once the entity has gained access to the intranet, the entity can easily direct the executable program to the IP address of a device that is to undergo an attack. It is difficult to detect such an attack on a control system network, and/or devices included in the network (e.g., computers, PLCs, machines, etc.) until it is too late, e.g., the attack is already underway.
As highlighted by the STUXNET attack, discovered in June 2010, process control operations, and PLCs in particular, have become a focus for malicious attack, such as a computer worm, virus or other malware. As a generalized overview, the STUXNET attack involved a computer worm taking control of a PLC, the PLC was controlled to effect destruction of a component and/or apparatus while at the same time, the PLC was reporting that the component/apparatus was operating correctly.